FlowX.AI 5.8.0 Release Notes

Deployment models:

Self-Hosted Features for self-hosted (on-premises) deployments
All Deployments Features available in both self-hosted and SaaS

Sharing a FlowX solution used to mean handing out admin keys. 5.8.0 changes that. The AI Developer now ships the React component you wished you’d had time to build, PII never reaches your LLM by accident, and you can finally invite a reviewer without giving them the platform.

What changed since 5.7.0

5.7.0	5.8.0
End-user access management with org-level roles and groups	+ Runtime authorization with project-version-scoped roles, groups, and attribute-based assignment
UI Flows accessible to any runtime user	+ UI Flow permissions: assign roles per UI Flow, evaluated at runtime
Custom Components in UI Flows only (Phase 1, React)	+ Custom Components in Processes with shared data model, input/output mappings, and AI Developer generation
Built-in UI components	+ Tooltip, Markdown, Progress Bar, Separator as new theme components
React-only multi-file upload	+ Angular SDK bulk file upload
Generic webhook gateway	+ Webhook provider adapters (Slack, with HMAC signing-secret validation)
Oracle Database (basic SQL editor)	+ Richer SQL autocomplete in the Monaco editor: operators, schema-aware tables/columns, and `:paramName` interpolations
No personal-information guardrails on AI workflow nodes	+ PII Guard with input/output scans, sensitivity presets, and an entity catalog

What’s new?

Platform
Builders
AI Platform

🔐 Runtime authorization - Project-scoped roles, end-user groups in FlowX, and Solutions → Share flow
📋 UI Flow permissions - Role-based UI Flow visibility with runtime enforcement

Runtime authorization

Runtime authorization overhaul

Overview
Key Features
Architecture
Migration

Before 5.8.0: a role on a user matched every project that role appeared in. Now: roles live at the project version, sharing is explicit, and Designer users still bypass runtime so they can demo without standing up test accounts.Runtime access is reorganized around the project. Roles live at the project version, each org has a managed catalog of end-user groups, and access flows through a Solutions → Share modal. FlowX retains authentication and external-IDP federation in Keycloak; runtime roles, end-user groups, and project-scoped sharing live in FlowX itself, evaluated by a custom runtime authorization service tuned for the volume of runtime permission checks. SpiceDB remains the design-time permission engine for Designer access.

Documentation

See Setup guides → Access management → Runtime authorization.

Project-scoped roles

Each project version declares the runtime roles required to operate it. Roles are org-level entities, defined once and reusable across projects and libraries.

Default `user` role on creation

New projects spawn with a default user role so a fresh project is reachable on day one without extra wiring.

Sharing from Solutions

The Solutions page gains a Share modal. Pick a user or end-user group, assign a role, and the user can launch the solution at runtime.

End-user groups in FlowX

Groups previously managed in Keycloak now live in FlowX. Recommended pattern: an “All End Users” group per single-role solution; one group per role for multi-role solutions.

Process swimlane roles

BPMN swimlanes assign view, execute, and self-assign permissions per role.

Designer-user bypass

Designer users can run any project they have designer access to without holding a runtime role; they auto-receive view, execute, and self-assign on every swimlane.

Active Policy gate

The Share modal lists only roles defined in the build set as Active Policy for the project. Roles defined in a non-active build do not appear until promoted.

The 5.8.0 release introduces a clear split between authentication and runtime authorization:

Concern	System	Notes
Authentication, sessions, MFA	Keycloak	Unchanged
External IDP federation	Keycloak	Configured per organization
User attributes (business filters)	Keycloak	Source of truth for token claims
Runtime roles	FlowX (custom CAS)	Defined per project version, evaluated at runtime
End-user groups	FlowX (custom CAS)	Replaces Keycloak group management
Project-scoped sharing	FlowX (custom CAS)	Solutions → Share modal
Design-time permissions	FlowX SpiceDB	Designer UI access; unchanged from prior releases

A designer-user Keycloak attribute is auto-managed on each user (true for designer users, false for end-users), with a mapper on the flowx-platform-authenticate client so the engine can check it cheaply on the access token.

All Deployments

UI Flow permissions

Overview
Key Features
Migration

Before 5.8.0: every UI Flow was reachable by anyone with runtime access. Now: each UI Flow carries its own allow-list and components inside it can be hidden or disabled per role.Each UI Flow now carries a list of allowed runtime roles. Users without one of those roles cannot start the UI Flow at runtime, and the UI Flow does not appear in the solutions list returned by the runtime API. Inside a UI Flow session, individual components can be hidden or disabled by permission-based rules evaluated at runtime against the user’s permission set.

Documentation

See UI Flows → UI Flow permissions.

All Deployments

Custom Components in Processes

Overview
Key Features
Limitations

Before 5.8.0: Custom Components only ran in UI Flows. Now: drag one onto a Process User Task and the React SDK applies the input/output mappings at runtime.Bundled Custom Components, previously only usable in UI Flows, now render in Process User Tasks. Each Custom Component carries its own data model with explicit input and output slices, and you map process data into and out of the component at each use site. Renderer support ships in the React SDK.

Documentation

See Custom Components → Using Custom Components in Process User Tasks.

Process User Task host

Drag a Custom Component onto a Process User Task layout the same way you do in UI Flows.

Custom Component data model

Each Custom Component declares its own data model. The Designer keeps input and output slices isolated so the component contract is clear at every use site.

INPUT mappings

Map process data attributes onto the Custom Component’s input slice at runtime, so the component receives only the data it declared.

OUTPUT mappings

When the component triggers an action, the React SDK applies the configured OUTPUT mappings before piping saveData back to process variables.

Test with sample inputs

The Custom Component editor lets you fill input params with sample data for in-Designer preview, mirroring the UI Flow test flow.

Import and export

Custom Components export and import alongside the data model and mappings so a component travels intact between projects.

All Deployments

New UI components

Four new theme components ship with renderer parity across React, Angular, and Android SDKs.

Tooltip

Contextual hint anchored to any UI element. Configurable text (static, local variable, or computed expression), position handling, and an optional icon.

Markdown

Render Markdown content from a static string or computed expression, with localization formatting for numbers, dates, and currency. Six heading levels and link styling are theme-driven.

Progress Bar

Visual progress indicator. Set a value between 0 and 1 from a static value, local variable, or computed expression.

Separator

Visual divider with theme-driven color. Adjustable height for layout spacing.

All four are exposed in the Theme Admin sidebar so theme overrides cascade through templates.All Deployments

Angular bulk file upload

Overview
Key Features

The Multiple File Upload component (BULK_FILE_UPLOAD), previously available only in the React SDK, now ships in the Angular SDK with the same drag-and-drop area and theming. Existing UI Flows that use the component render across React and Angular containers without configuration changes.

Documentation

See the Multiple File Upload component reference.

All Deployments

UI Flow multi-file upload backend

Overview
Key Features

Multi-file uploads from UI Flows now use a dedicated bulk endpoint and a single completion event in place of the per-file pattern. The upload action accepts a list of temp-file IDs in one request and the SDK receives a single SSE frame when the batch is persisted.

Documentation

See Multiple file upload → UI Flow upload flow.

Single bulk endpoint

POST /ui-flow/{uiFlowSessionId}/upload-multiple accepts a list of temp-file IDs and returns a server-generated uploadBatchId.

Single completion event

One SSE frame (UI_FLOW_FILE_UPLOAD_MULTIPLE, namespace = uploadBatchId) delivers per-file results once the batch is persisted.

New Kafka topic

ai.flowx.plugin.document.trigger.persist.document.session.bulk.v1 carries the bulk command from process-engine to document-plugin.

Session variable mapping

Per-file results are stored as a list under the upload action’s responseKey in the UI Flow session.

All Deployments

Webhook provider adapters

Overview
Key Features

Inbound webhook registrations now select a provider: GENERIC or SLACK. The Slack adapter performs HMAC-SHA256 signature validation against the Slack signing secret on every request, including the X-Slack-Request-Timestamp skew check (5 minutes). Provider-segmented URLs (/webhooks/incoming/slack/...) keep generic and provider-specific registrations isolated. Future providers plug in behind the same InboundProviderAdapter interface without changing the URL contract.

Documentation

See Incoming webhooks → Provider adapters.

Slack signature validation

HMAC-SHA256 on X-Slack-Signature, with timestamp skew enforced

Slack URL-verification handshake

The gateway answers Slack’s url_verification challenge automatically

Provider-segmented URLs

/webhooks/incoming/{provider}/... keeps providers isolated; mismatch returns 400

Independent secret rotation

Rotate the provider signing secret without touching the FlowX API key

Settings tab

Provider + signing secret moved to a dedicated Settings tab on the webhook system

Pluggable

New providers add an adapter and an enum value; no URL or registration schema changes

All Deployments

Richer SQL autocomplete

Overview
Key Features

The Monaco editor on the Oracle Database data source now ships with a full SQL language definition. Autocomplete suggestions cover SQL keywords and operators, table and column names parsed from the saved schema context, and :paramName interpolations resolved from the parameters panel.

Documentation

See the Oracle Database SQL editor documentation.

Keywords and operators

Full SQL language definition powers keyword highlighting and completion.

Schema-aware suggestions

Tables and columns parsed from the saved schema context appear in completion lists.

Parameter interpolation

:paramName placeholders resolve against the parameters panel for inline preview.

Editor consistency

Matches the editor experience used by other code surfaces in the Designer.

All Deployments

Data source UX redesign

Overview
Key Features

The Data Sources resource page is rebuilt around a tile-based creation flow and a unified details view. Each data source type has its own icon and a dedicated tile in the New Data Source modal, with a search box that filters tiles as you type. The list view shows the type next to each entry and adds a type filter so you can scope the list by connector. Settings panels for every data source type are normalized to the same card-based layout.

Documentation

See the Integration Designer reference for data source configuration.

All Deployments

PII Guard

Personal Information Guard

Overview
Key Features

Before 5.8.0: data-sensitive customers couldn’t enable AI workflow nodes at all. Now: every AI node carries a per-node guardrail with sensitivity presets, scan directions, and a fail-closed contract.AI workflow nodes gain a per-node guardrail that detects and replaces personal information before it reaches the LLM and, optionally, scans LLM output before it flows downstream. The guard runs against the new Data Privacy service, configured per node with sensitivity presets, scan directions, and an entity catalog organized into Universal, Regional EN, and Regional RO scopes. Iteration 1 covers Custom Agent, Intent Classification, Extract Data from File, and all AI Text, Document, Image, and Data Operations, including Document Generation.

Documentation

See Integration Designer → AI Nodes → Personal Information Guard.

Per-node toggle

Enable on any AI node. Choose a sensitivity preset (Strict / Balanced / Relaxed) or set a custom threshold.

Input and output scans

Redacts inputs and systemPrompt before the LLM call; optionally scans LLM output before it leaves the node.

File redaction

Document and image nodes get a redacted source artifact uploaded back to the same storage; the file binding is swapped automatically.

Entity catalog

24 entity types (email, phone, IBAN, etc.) grouped under Universal, Regional EN, and Regional RO. Modal supports search and section-level Select All.

System-prompt appender

Custom Agent nodes get a non-editable system-prompt segment teaching the LLM how to handle <PII type=.../> placeholders.

Fail-closed

Any error from the Data Privacy service stops node execution and surfaces on the run log; no partially-redacted prompts reach the LLM.

Run-log visibility

Each scan reports status, per-entity detection counts, and (for file scans) original and redacted storage paths.

New Data Privacy service

Backed by Presidio. Configured via FLOWX_DATAPRIVACY_BASEURL and FLOWX_DATAPRIVACY_TIMEOUTSECONDS on integration-designer.

All Deployments

Knowledge Base enhancements

Knowledge Base

Overview
Key Features

Knowledge Bases gain richer metadata and a more resilient indexing path. Stores and chunks expose system metadata fields you can filter on in the Test KB modal and the Custom Agent node, the indexer and embedder communicate over Kafka instead of synchronous calls, and the Update Knowledge Base node can ingest files by path from inside a workflow.

Documentation

See Knowledge Base → Overview.

System metadata on stores

Filter entries by Source (Manual or Workflow), Uploaded, Doc name, Doc type, Doc pages, and Store origin

System metadata on chunks

Filter chunks by Chunk counter, Chunk type, Chunk section, Chunk page start, and Chunk entry

Kafka between indexer and embedder

Replaces the previous synchronous gRPC path; per-chunk embedding requests flow through ai.flowx.ai-platform.knowledgebase.internal.embedding-request.v1

Delete chunks from Qdrant

Indexer forwards a delete job to the embedder, which removes matching points from Qdrant when an entry is deleted

File path mode in Update KB node

The Update Knowledge Base node accepts contentType: FILE_PATH so workflows can ingest content uploaded earlier in the run

Doc pages in agent stream

Custom Agent streaming responses include doc_pages and chunk metadata (counter, type, section, page start) for richer trace and debug

All Deployments

Web Crawler multi-URL filters

Overview
Key Features

The Web Crawler node now accepts up to 20 URL filter patterns per crawler configuration. Open the URL Filters modal on the Web Crawler node, add one row per pattern, and the crawler restricts its breadth-first traversal to URLs that match any of the configured filters.

Documentation

See the Web Crawler setup guide.

All Deployments

AI Developer generates Custom Components

Overview
Key Features
Limitations

Before 5.8.0: the AI Developer wrote business rules and JS expressions. Now: it ships entire React Custom Components — JSX, CSS, package.json, and sample input data — in one prompt.The AI Developer pre-built agent gains a Generate Custom Component action and an Edit Custom Component action. From the Designer’s AI command center, describe the component you want, and the agent returns a complete React bundle (JSX, CSS, package.json, and sample input data) that you can preview, accept, or iterate on. The same conversation can edit existing components.

Documentation

See AI Developer → Pre-built agents.

Generate from natural language

Describe a component in plain language; receive JSX, CSS, package.json, and sample input data in one response.

Sample input field

A dedicated input field lets you provide preview data so the generated component renders meaningfully on first run.

Edit existing components

Iterate on a generated or hand-authored component through the same conversation. The agent keeps the component context.

Inline preview

The Designer’s Preview area renders the generated bundle next to the conversation so you can validate before saving.

Dependency summary

A new dependency summary panel surfaces the npm packages the agent included in package.json.

Keep / Discard

Accept the generated bundle into the workspace or discard it without leaving the conversation.

All Deployments

iframe logout postMessage contract

iframe logout postMessage

The runtime SaaS app now notifies an iframe parent when a user logs out. When the parent passes a parentOrigin query parameter on the /{orgCode}/logout URL, the runtime posts { type: 'logout-success' } to window.parent immediately before the sign-out redirect. Host applications that embed the FlowX runtime in an iframe can listen for this message and react (clear local state, navigate, surface a UI cue) without polling the iframe URL.All Deployments

Right-click Add UI component in Processes and Reusable UI Templates

The right-click contextual menu for adding a UI component, previously available only in UI Flows, now works in Process User Tasks and Reusable UI Templates as well. Right-click a node in the components hierarchy panel to insert any allowed child component without dragging from the palette. Copy and paste styles are also exposed from the same menu.All Deployments

Pointer cursor on actionable elements

Web renderers now switch the cursor to a pointer when hovering over any UI component bound to an action, matching standard web affordances. No configuration change is required — the new behavior applies automatically to elements that already declare an action role.All Deployments

”Process Data” → “Local Variables” rename

Process Data renamed to Local Variables

In the UI Designer, the Process Data label is now displayed as Local Variables when you are editing a UI Flow or a Reusable UI Template. Process editing is unchanged and continues to use Process Data. The data source key and binding behavior are identical; only the user-visible label changed, so existing flows continue to work without any update.All Deployments

License billing guards

The license service no longer creates billing plans for periods past an organization’s subscription end date. This prevents stale plan rows from accumulating after a subscription expires and aligns the on-prem billing trail with the SaaS-side license lifecycle.Self-Hosted

Speech-to-text and Web Crawler in AI consumption

AI consumption tracking now includes Speech-to-text and Web Crawler workflow nodes alongside the existing AI Text, Document, Image, and Data Operations. Organizations on AI consumption-based plans see usage and billing reflected for these nodes from 5.8.0 onward.All Deployments

Shipped by

This release is the work of the FlowX engineering team — backend, frontend, AI, infra, QA, and docs. It also belongs to the customers who told us what was broken last quarter. Thank you.

Deployment guidelines

For component versions, environment variables, Kafka topics, and migration guidance, see Deployment guidelines v5.8.0.

​What changed since 5.7.0

​Runtime authorization

Runtime authorization overhaul

Documentation

Project-scoped roles

Default `user` role on creation

Sharing from Solutions

End-user groups in FlowX

Process swimlane roles

Designer-user bypass

Active Policy gate

​UI Flow permissions

UI Flow permissions

Documentation

Permissions page

Default role on creation

Per-component hide/disable

Permission toast

Input-parameter validation

Travels with import/export

​Custom Components in Processes

Custom Components in Processes

Documentation

Process User Task host

Custom Component data model

INPUT mappings

OUTPUT mappings

Test with sample inputs

Import and export

​New UI components

New UI components

Tooltip

Markdown

Progress Bar

Separator

​Angular bulk file upload

Angular bulk file upload

Documentation

Renderer parity

Drag-and-drop area

Theme-driven

No flow changes needed

​UI Flow multi-file upload backend

UI Flow multi-file upload backend

Documentation

Single bulk endpoint

Single completion event

New Kafka topic

Session variable mapping

​Webhook provider adapters

Webhook provider adapters

Documentation

Slack signature validation

Slack URL-verification handshake

Provider-segmented URLs

Independent secret rotation

Settings tab

Pluggable

​Richer SQL autocomplete

Richer SQL autocomplete

Documentation

Keywords and operators

Schema-aware suggestions

Parameter interpolation

Editor consistency

​Data source UX redesign

Data source UX redesign

Documentation

Tile-based creation modal

Type icons in the list

Filter by type

Unified settings layout

Save with incomplete config

​PII Guard

Personal Information Guard

Documentation

Per-node toggle

Input and output scans

File redaction

Entity catalog

What changed since 5.7.0

Runtime authorization

UI Flow permissions

Custom Components in Processes

New UI components

Angular bulk file upload

UI Flow multi-file upload backend

Webhook provider adapters

Richer SQL autocomplete

Data source UX redesign

PII Guard

Knowledge Base enhancements

Web Crawler multi-URL filters

AI Developer generates Custom Components

iframe logout postMessage contract

Context menu adds UI components in Processes

Pointer cursor on actionable elements

”Process Data” → “Local Variables” rename

License billing guards

Speech-to-text and Web Crawler in AI consumption

Shipped by

Deployment guidelines